[ci] grants write permission to create branch in remote

[chunhtai]

The branch release workflow failed with

Parsing package "packages/packages/go_router"...
  Creating new branch "go_router-23134404669-1"...
  Pushing branch go_router-23134404669-1 to remote origin...
Unhandled exception:
ProcessException: remote: Permission to flutter/packages.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/flutter/packages/': The requested URL returned error: 403
  Command: git push origin go_router-23134404669-1

https://github.com/flutter/packages/actions/runs/23134404669/job/67194648551

Pre-Review Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• I read the AI contribution guidelines and understand my responsibilities, or I am not using AI tools.
• I read the Tree Hygiene page, which explains my responsibilities.
• I read and followed the relevant style guides and ran the auto-formatter.
• I signed the CLA.
• The title of the PR starts with the name of the package surrounded by square brackets, e.g. [shared_preferences]
• I linked to at least one issue that this PR fixes in the description above.
• I followed the version and CHANGELOG instructions, using semantic versioning and the repository CHANGELOG style, or I have commented below to indicate which documented exception this PR falls under¹.
• I updated/added any relevant documentation (doc comments with ///).
• I added new tests to check the change I am making, or I have commented below to indicate which test exemption this PR falls under¹.
• All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

Note: The Flutter team is currently trialing the use of Gemini Code Assist for GitHub. Comments from the gemini-code-assist bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed.

Footnotes

1. Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling. ↩ ↩²

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[stuartmorgan-g]

Giving the entire job full write permissions to the repo seems very risky. Can we refactor to have a specific step do nothing but create the branch, and give only that step write access?

/cc @jtmcdole for potential Infra input on access scoping.

[chunhtai]

There isn't a good way to set granular permission for each step unless we use Personal access token. The best we can do is to separate out different job and gave different permission for each job. However, each job will be different run instance, and won't share the environment setup. This means the source code checkout and repo tool setup will have to be called for each job.

I separated out the branch creation and pull request creation to be separated job to have slightly better permission control.

If we want anything better, we will need to set up PAT, probably using the @fluttergithubbot .